Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / 3563fde6a02c2a75d0b4ba629d80c5511056a688 / . / clang / test / Analysis / malloc.c
blob: bdbd96e2be4e4b15474fa9d060ac20c3aebfb6d0 [file] [log] [blame]
Anna Zaks0cdce4d2012-02-20 21:10:37 +0000[diff] [blame]1// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.deadcode.UnreachableCode,experimental.core.CastSize,unix.Malloc -analyzer-store=region -verify %s
Anna Zaks41b84842012-02-11 23:46:36 +0000[diff] [blame]2#include "system-header-simulator.h"
3
Eli Friedmanb7746852009-11-14 04:23:25 +0000[diff] [blame]4typedef __typeof(sizeof(int)) size_t;
Ted Kremenek9430bf22009-11-13 20:03:22 +0000[diff] [blame]5void *malloc(size_t);
Anna Zaksd5157482012-02-15 00:11:22 +0000[diff] [blame]6void *valloc(size_t);
Ted Kremenek9430bf22009-11-13 20:03:22 +0000[diff] [blame]7void free(void *);
Zhongxing Xuc0484fa2009-12-12 12:29:38 +0000[diff] [blame]8void *realloc(void *ptr, size_t size);
Anna Zaksac068142012-02-15 00:11:25 +0000[diff] [blame]9void *reallocf(void *ptr, size_t size);
Zhongxing Xuc0484fa2009-12-12 12:29:38 +0000[diff] [blame]10void *calloc(size_t nmemb, size_t size);
Anna Zaks46d01602012-05-18 01:16:10 +0000[diff] [blame]11char *strdup(const char *s);
12char *strndup(const char *s, size_t n);
Ted Kremenekd21139a2010-07-31 01:52:11 +0000[diff] [blame]13
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]14void myfoo(int *p);
15void myfooint(int p);
Anna Zaks5a6213d2012-02-15 00:11:28 +0000[diff] [blame]16char *fooRetPtr();
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]17
18void f1() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]19 int *p = malloc(12);
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]20 return; // expected-warning{{Memory is never released; potential leak}}
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]21}
22
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]23void f2() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]24 int *p = malloc(12);
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]25 free(p);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]26 free(p); // expected-warning{{Attempt to free released memory}}
Zhongxing Xuc7460962009-11-13 07:48:11 +0000[diff] [blame]27}
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]28
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]29void f2_realloc_0() {
30 int *p = malloc(12);
31 realloc(p,0);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]32 realloc(p,0); // expected-warning{{Attempt to free released memory}}
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]33}
34
35void f2_realloc_1() {
36 int *p = malloc(12);
Zhongxing Xubfb8e2f2011-09-01 04:53:59 +0000[diff] [blame]37 int *q = realloc(p,0); // no-warning
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]38}
39
Anna Zaksd56c8792012-02-13 18:05:39 +0000[diff] [blame]40void reallocNotNullPtr(unsigned sizeIn) {
41 unsigned size = 12;
42 char *p = (char*)malloc(size);
43 if (p) {
44 char *q = (char*)realloc(p, sizeIn);
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]45 char x = *q; // expected-warning {{Memory is never released; potential leak}}
Anna Zaksd56c8792012-02-13 18:05:39 +0000[diff] [blame]46 }
47}
48
49int *realloctest1() {
50 int *q = malloc(12);
51 q = realloc(q, 20);
52 return q; // no warning - returning the allocated value
53}
54
55// p should be freed if realloc fails.
56void reallocFails() {
57 char *p = malloc(12);
58 char *r = realloc(p, 12+1);
59 if (!r) {
60 free(p);
61 } else {
62 free(r);
63 }
64}
65
Anna Zaks8fd0f2a2012-02-13 20:57:07 +0000[diff] [blame]66void reallocSizeZero1() {
67 char *p = malloc(12);
68 char *r = realloc(p, 0);
69 if (!r) {
70 free(p);
71 } else {
72 free(r);
73 }
74}
75
76void reallocSizeZero2() {
77 char *p = malloc(12);
78 char *r = realloc(p, 0);
79 if (!r) {
80 free(p);
81 } else {
82 free(r);
83 }
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]84 free(p); // expected-warning {{Attempt to free released memory}}
Anna Zaks8fd0f2a2012-02-13 20:57:07 +0000[diff] [blame]85}
86
87void reallocSizeZero3() {
88 char *p = malloc(12);
89 char *r = realloc(p, 0);
90 free(r);
91}
92
93void reallocSizeZero4() {
94 char *r = realloc(0, 0);
95 free(r);
96}
97
98void reallocSizeZero5() {
99 char *r = realloc(0, 0);
100}
101
102void reallocPtrZero1() {
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]103 char *r = realloc(0, 12); // expected-warning {{Memory is never released; potential leak}}
Anna Zaks8fd0f2a2012-02-13 20:57:07 +0000[diff] [blame]104}
105
106void reallocPtrZero2() {
107 char *r = realloc(0, 12);
108 if (r)
109 free(r);
110}
111
112void reallocPtrZero3() {
113 char *r = realloc(0, 12);
114 free(r);
115}
116
Anna Zaksad01ef52012-02-14 00:26:13 +0000[diff] [blame]117void reallocRadar6337483_1() {
118 char *buf = malloc(100);
119 buf = (char*)realloc(buf, 0x1000000);
120 if (!buf) {
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]121 return;// expected-warning {{Memory is never released; potential leak}}
Anna Zaksad01ef52012-02-14 00:26:13 +0000[diff] [blame]122 }
123 free(buf);
124}
125
126void reallocRadar6337483_2() {
127 char *buf = malloc(100);
128 char *buf2 = (char*)realloc(buf, 0x1000000);
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]129 if (!buf2) { // expected-warning {{Memory is never released; potential leak}}
Anna Zaksad01ef52012-02-14 00:26:13 +0000[diff] [blame]130 ;
131 } else {
132 free(buf2);
133 }
134}
135
136void reallocRadar6337483_3() {
137 char * buf = malloc(100);
138 char * tmp;
139 tmp = (char*)realloc(buf, 0x1000000);
140 if (!tmp) {
141 free(buf);
142 return;
143 }
144 buf = tmp;
145 free(buf);
146}
147
148void reallocRadar6337483_4() {
149 char *buf = malloc(100);
150 char *buf2 = (char*)realloc(buf, 0x1000000);
151 if (!buf2) {
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]152 return; // expected-warning {{Memory is never released; potential leak}}
Anna Zaksad01ef52012-02-14 00:26:13 +0000[diff] [blame]153 } else {
154 free(buf2);
155 }
156}
157
Anna Zaksac068142012-02-15 00:11:25 +0000[diff] [blame]158int *reallocfTest1() {
159 int *q = malloc(12);
160 q = reallocf(q, 20);
161 return q; // no warning - returning the allocated value
162}
163
164void reallocfRadar6337483_4() {
165 char *buf = malloc(100);
166 char *buf2 = (char*)reallocf(buf, 0x1000000);
167 if (!buf2) {
168 return; // no warning - reallocf frees even on failure
169 } else {
170 free(buf2);
171 }
172}
173
174void reallocfRadar6337483_3() {
175 char * buf = malloc(100);
176 char * tmp;
177 tmp = (char*)reallocf(buf, 0x1000000);
178 if (!tmp) {
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]179 free(buf); // expected-warning {{Attempt to free released memory}}
Anna Zaksac068142012-02-15 00:11:25 +0000[diff] [blame]180 return;
181 }
182 buf = tmp;
183 free(buf);
184}
185
186void reallocfPtrZero1() {
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]187 char *r = reallocf(0, 12); // expected-warning {{Memory is never released; potential leak}}
Anna Zaksac068142012-02-15 00:11:25 +0000[diff] [blame]188}
189
190
Zhongxing Xu4668c7e2009-11-17 07:54:15 +0000[diff] [blame]191// This case tests that storing malloc'ed memory to a static variable which is
192// then returned is not leaked. In the absence of known contracts for functions
193// or inter-procedural analysis, this is a conservative answer.
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]194int *f3() {
195 static int *p = 0;
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]196 p = malloc(12);
Zhongxing Xu23baa012009-11-17 08:58:18 +0000[diff] [blame]197 return p; // no-warning
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]198}
199
Zhongxing Xu4668c7e2009-11-17 07:54:15 +0000[diff] [blame]200// This case tests that storing malloc'ed memory to a static global variable
201// which is then returned is not leaked. In the absence of known contracts for
202// functions or inter-procedural analysis, this is a conservative answer.
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]203static int *p_f4 = 0;
204int *f4() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]205 p_f4 = malloc(12);
Zhongxing Xu23baa012009-11-17 08:58:18 +0000[diff] [blame]206 return p_f4; // no-warning
Ted Kremeneke5e977012009-11-13 20:00:28 +0000[diff] [blame]207}
Zhongxing Xuc0484fa2009-12-12 12:29:38 +0000[diff] [blame]208
209int *f5() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]210 int *q = malloc(12);
Zhongxing Xuc0484fa2009-12-12 12:29:38 +0000[diff] [blame]211 q = realloc(q, 20);
212 return q; // no-warning
213}
Zhongxing Xub0e15df2009-12-31 06:13:07 +0000[diff] [blame]214
215void f6() {
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]216 int *p = malloc(12);
Zhongxing Xub0e15df2009-12-31 06:13:07 +0000[diff] [blame]217 if (!p)
218 return; // no-warning
219 else
220 free(p);
221}
Zhongxing Xu5fcd99b2010-01-18 04:01:40 +0000[diff] [blame]222
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]223void f6_realloc() {
224 int *p = malloc(12);
225 if (!p)
226 return; // no-warning
227 else
228 realloc(p,0);
229}
230
231
Zhongxing Xu5fcd99b2010-01-18 04:01:40 +0000[diff] [blame]232char *doit2();
233void pr6069() {
234 char *buf = doit2();
235 free(buf);
236}
Zhongxing Xube36ecb2010-02-14 06:49:48 +0000[diff] [blame]237
238void pr6293() {
239 free(0);
240}
Zhongxing Xu1bb6a1a2010-03-10 04:58:55 +0000[diff] [blame]241
242void f7() {
243 char *x = (char*) malloc(4);
244 free(x);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]245 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
Zhongxing Xu1bb6a1a2010-03-10 04:58:55 +0000[diff] [blame]246}
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]247
Anna Zaks46d01602012-05-18 01:16:10 +0000[diff] [blame]248void f8() {
249 char *x = (char*) malloc(4);
250 free(x);
251 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
252}
253
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]254void f7_realloc() {
255 char *x = (char*) malloc(4);
256 realloc(x,0);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]257 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
Lenny Maiorani005b5c12011-04-27 14:49:29 +0000[diff] [blame]258}
259
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]260void PR6123() {
261 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}}
262}
263
264void PR7217() {
265 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}}
266 buf[1] = 'c'; // not crash
Zhongxing Xu658dd8b2010-05-25 04:59:19 +0000[diff] [blame]267}
Jordy Rose2dd9b022010-06-20 04:30:57 +0000[diff] [blame]268
269void mallocCastToVoid() {
270 void *p = malloc(2);
271 const void *cp = p; // not crash
272 free(p);
273}
274
275void mallocCastToFP() {
276 void *p = malloc(2);
277 void (*fp)() = p; // not crash
278 free(p);
279}
280
Zhongxing Xu527ff6d2010-06-01 03:01:33 +0000[diff] [blame]281// This tests that malloc() buffers are undefined by default
282char mallocGarbage () {
283 char *buf = malloc(2);
284 char result = buf[1]; // expected-warning{{undefined}}
285 free(buf);
286 return result;
287}
288
289// This tests that calloc() buffers need to be freed
290void callocNoFree () {
291 char *buf = calloc(2,2);
292 return; // expected-warning{{never released}}
293}
294
295// These test that calloc() buffers are zeroed by default
296char callocZeroesGood () {
297 char *buf = calloc(2,2);
298 char result = buf[3]; // no-warning
299 if (buf[1] == 0) {
300 free(buf);
301 }
302 return result; // no-warning
303}
304
305char callocZeroesBad () {
306 char *buf = calloc(2,2);
307 char result = buf[3]; // no-warning
308 if (buf[1] != 0) {
Tom Carecba9f512010-07-23 23:04:53 +0000[diff] [blame]309 free(buf); // expected-warning{{never executed}}
Zhongxing Xu527ff6d2010-06-01 03:01:33 +0000[diff] [blame]310 }
311 return result; // expected-warning{{never released}}
312}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]313
314void nullFree() {
315 int *p = 0;
316 free(p); // no warning - a nop
317}
318
319void paramFree(int *p) {
320 myfoo(p);
321 free(p); // no warning
322 myfoo(p); // TODO: This should be a warning.
323}
324
325int* mallocEscapeRet() {
326 int *p = malloc(12);
327 return p; // no warning
328}
329
330void mallocEscapeFoo() {
331 int *p = malloc(12);
332 myfoo(p);
333 return; // no warning
334}
335
336void mallocEscapeFree() {
337 int *p = malloc(12);
338 myfoo(p);
339 free(p);
340}
341
342void mallocEscapeFreeFree() {
343 int *p = malloc(12);
344 myfoo(p);
345 free(p);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]346 free(p); // expected-warning{{Attempt to free released memory}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]347}
348
349void mallocEscapeFreeUse() {
350 int *p = malloc(12);
351 myfoo(p);
352 free(p);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]353 myfoo(p); // expected-warning{{Use of memory after it is freed}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]354}
355
356int *myalloc();
357void myalloc2(int **p);
358
359void mallocEscapeFreeCustomAlloc() {
360 int *p = malloc(12);
361 myfoo(p);
362 free(p);
363 p = myalloc();
364 free(p); // no warning
365}
366
367void mallocEscapeFreeCustomAlloc2() {
368 int *p = malloc(12);
369 myfoo(p);
370 free(p);
371 myalloc2(&p);
372 free(p); // no warning
373}
374
375void mallocBindFreeUse() {
376 int *x = malloc(12);
377 int *y = x;
378 free(y);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]379 myfoo(x); // expected-warning{{Use of memory after it is freed}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]380}
381
382void mallocEscapeMalloc() {
383 int *p = malloc(12);
384 myfoo(p);
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]385 p = malloc(12); // expected-warning{{Memory is never released; potential leak}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]386}
387
388void mallocMalloc() {
389 int *p = malloc(12);
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]390 p = malloc(12); // expected-warning 2 {{Memory is never released; potential leak}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]391}
392
393void mallocFreeMalloc() {
394 int *p = malloc(12);
395 free(p);
396 p = malloc(12);
397 free(p);
398}
399
Anna Zaks12259b42012-02-09 06:25:47 +0000[diff] [blame]400void mallocFreeUse_params() {
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]401 int *p = malloc(12);
402 free(p);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]403 myfoo(p); //expected-warning{{Use of memory after it is freed}}
Anna Zaks41b84842012-02-11 23:46:36 +0000[diff] [blame]404}
405
406void mallocFreeUse_params2() {
407 int *p = malloc(12);
408 free(p);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]409 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
Anna Zaksa1b227b2012-02-08 23:16:56 +0000[diff] [blame]410}
411
Anna Zaks2b5bb972012-02-09 06:25:51 +0000[diff] [blame]412void mallocFailedOrNot() {
413 int *p = malloc(12);
414 if (!p)
415 free(p);
416 else
417 free(p);
418}
419
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]420struct StructWithInt {
421 int g;
422};
Anna Zaks3aa52252012-02-11 21:44:39 +0000[diff] [blame]423
424int *mallocReturnFreed() {
425 int *p = malloc(12);
426 free(p);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]427 return p; // expected-warning {{Use of memory after it is freed}}
Anna Zaks3aa52252012-02-11 21:44:39 +0000[diff] [blame]428}
429
430int useAfterFreeStruct() {
431 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
432 px->g = 5;
433 free(px);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]434 return px->g; // expected-warning {{Use of memory after it is freed}}
Anna Zaks3aa52252012-02-11 21:44:39 +0000[diff] [blame]435}
436
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]437void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
438
439void mallocEscapeFooNonSymbolArg() {
440 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
441 nonSymbolAsFirstArg(&p->g, p);
442 return; // no warning
443}
444
Anna Zaksbb1ef902012-02-11 21:02:35 +0000[diff] [blame]445void mallocFailedOrNotLeak() {
446 int *p = malloc(12);
447 if (p == 0)
448 return; // no warning
449 else
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]450 return; // expected-warning {{Memory is never released; potential leak}}
Anna Zaksbb1ef902012-02-11 21:02:35 +0000[diff] [blame]451}
Anna Zaks31886862012-02-10 01:11:00 +0000[diff] [blame]452
Anna Zaks5a6213d2012-02-15 00:11:28 +0000[diff] [blame]453void mallocAssignment() {
454 char *p = malloc(12);
455 p = fooRetPtr(); // expected-warning {{leak}}
456}
457
Anna Zaksd5157482012-02-15 00:11:22 +0000[diff] [blame]458int vallocTest() {
459 char *mem = valloc(12);
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]460 return 0; // expected-warning {{Memory is never released; potential leak}}
Anna Zaksd5157482012-02-15 00:11:22 +0000[diff] [blame]461}
462
463void vallocEscapeFreeUse() {
464 int *p = valloc(12);
465 myfoo(p);
466 free(p);
Anna Zaks546c49c2012-02-16 22:26:12 +0000[diff] [blame]467 myfoo(p); // expected-warning{{Use of memory after it is freed}}
Anna Zaksd5157482012-02-15 00:11:22 +0000[diff] [blame]468}
469
Anna Zaks12259b42012-02-09 06:25:47 +0000[diff] [blame]470int *Gl;
471struct GlStTy {
472 int *x;
473};
474
475struct GlStTy GlS = {0};
476
477void GlobalFree() {
478 free(Gl);
479}
480
481void GlobalMalloc() {
482 Gl = malloc(12);
483}
484
485void GlobalStructMalloc() {
486 int *a = malloc(12);
487 GlS.x = a;
488}
489
490void GlobalStructMallocFree() {
491 int *a = malloc(12);
492 GlS.x = a;
493 free(GlS.x);
494}
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]495
Anna Zaks33c364b2012-02-16 22:26:15 +0000[diff] [blame]496char *ArrayG[12];
497
498void globalArrayTest() {
499 char *p = (char*)malloc(12);
500 ArrayG[0] = p;
501}
502
Anna Zaksd32ead82012-02-16 03:40:57 +0000[diff] [blame]503// Make sure that we properly handle a pointer stored into a local struct/array.
504typedef struct _StructWithPtr {
505 int *memP;
506} StructWithPtr;
507
508static StructWithPtr arrOfStructs[10];
509
510void testMalloc() {
511 int *x = malloc(12);
512 StructWithPtr St;
513 St.memP = x;
514 arrOfStructs[0] = St;
515}
516
517StructWithPtr testMalloc2() {
518 int *x = malloc(12);
519 StructWithPtr St;
520 St.memP = x;
521 return St;
522}
523
524int *testMalloc3() {
525 int *x = malloc(12);
526 int *y = x;
527 return y;
528}
529
Anna Zaks1fdedc92012-02-17 22:35:34 +0000[diff] [blame]530void testElemRegion1() {
531 char *x = (void*)malloc(2);
532 int *ix = (int*)x;
533 free(&(x[0]));
534}
535
536void testElemRegion2(int **pp) {
537 int *p = malloc(12);
538 *pp = p;
539 free(pp[0]);
540}
541
542void testElemRegion3(int **pp) {
543 int *p = malloc(12);
544 *pp = p;
545 free(*pp);
546}
Anna Zaksbb1ef902012-02-11 21:02:35 +0000[diff] [blame]547// Region escape testing.
548
549unsigned takePtrToPtr(int **p);
550void PassTheAddrOfAllocatedData(int f) {
551 int *p = malloc(12);
552 // We don't know what happens after the call. Should stop tracking here.
553 if (takePtrToPtr(&p))
554 f++;
555 free(p); // no warning
556}
557
558struct X {
559 int *p;
560};
561unsigned takePtrToStruct(struct X *s);
562int ** foo2(int *g, int f) {
563 int *p = malloc(12);
564 struct X *px= malloc(sizeof(struct X));
565 px->p = p;
566 // We don't know what happens after this call. Should not track px nor p.
567 if (takePtrToStruct(px))
568 f++;
569 free(p);
570 return 0;
571}
572
573struct X* RegInvalidationDetect1(struct X *s2) {
574 struct X *px= malloc(sizeof(struct X));
575 px->p = 0;
576 px = s2;
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]577 return px; // expected-warning {{Memory is never released; potential leak}}
Anna Zaksbb1ef902012-02-11 21:02:35 +0000[diff] [blame]578}
579
580struct X* RegInvalidationGiveUp1() {
581 int *p = malloc(12);
582 struct X *px= malloc(sizeof(struct X));
583 px->p = p;
584 return px;
585}
586
587int **RegInvalidationDetect2(int **pp) {
588 int *p = malloc(12);
589 pp = &p;
590 pp++;
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]591 return 0;// expected-warning {{Memory is never released; potential leak}}
Anna Zaksbb1ef902012-02-11 21:02:35 +0000[diff] [blame]592}
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]593
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]594extern void exit(int) __attribute__ ((__noreturn__));
595void mallocExit(int *g) {
596 struct xx *p = malloc(12);
Anna Zaksd3571e5a2012-02-11 21:02:40 +0000[diff] [blame]597 if (g != 0)
598 exit(1);
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]599 free(p);
600 return;
601}
602
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]603extern void __assert_fail (__const char *__assertion, __const char *__file,
604 unsigned int __line, __const char *__function)
605 __attribute__ ((__noreturn__));
606#define assert(expr) \
607 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
608void mallocAssert(int *g) {
609 struct xx *p = malloc(12);
610
Anna Zaksd3571e5a2012-02-11 21:02:40 +0000[diff] [blame]611 assert(g != 0);
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]612 free(p);
613 return;
614}
615
Anna Zaks41b84842012-02-11 23:46:36 +0000[diff] [blame]616void doNotInvalidateWhenPassedToSystemCalls(char *s) {
617 char *p = malloc(12);
618 strlen(p);
619 strcpy(p, s); // expected-warning {{leak}}
620}
621
Anna Zakse56167e2012-02-17 22:35:31 +0000[diff] [blame]622// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
623void symbolLostWithStrcpy(char *s) {
624 char *p = malloc(12);
625 p = strcpy(p, s);
626 free(p);
627}
628
629
630// The same test as the one above, but with what is actually generated on a mac.
631static __inline char *
632__inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
633{
634 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
635}
636
637void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
638 char *p = malloc(12);
639 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
640 free(p);
641}
Anna Zaks4ca45b12012-02-22 02:36:01 +0000[diff] [blame]642
643// Here we are returning a pointer one past the allocated value. An idiom which
644// can be used for implementing special malloc. The correct uses of this might
645// be rare enough so that we could keep this as a warning.
646static void *specialMalloc(int n){
647 int *p;
648 p = malloc( n+8 );
649 if( p ){
650 p[0] = n;
651 p++;
652 }
653 return p;
654}
655
656// Potentially, the user could free the struct by performing pointer arithmetic on the return value.
657// This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
658int *specialMallocWithStruct() {
659 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
660 return &(px->g);
661}
662
Anna Zaks199e8e52012-02-22 03:14:20 +0000[diff] [blame]663// Test various allocation/deallocation functions.
Anna Zaks199e8e52012-02-22 03:14:20 +0000[diff] [blame]664void testStrdup(const char *s, unsigned validIndex) {
665 char *s2 = strdup(s);
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]666 s2[validIndex + 1] = 'b';// expected-warning {{Memory is never released; potential leak}}
Anna Zaks199e8e52012-02-22 03:14:20 +0000[diff] [blame]667}
668
669int testStrndup(const char *s, unsigned validIndex, unsigned size) {
670 char *s2 = strndup(s, size);
671 s2 [validIndex + 1] = 'b';
672 if (s2[validIndex] != 'a')
Anna Zaksdf901a42012-02-23 21:38:21 +0000[diff] [blame]673 return 0;
Anna Zaks199e8e52012-02-22 03:14:20 +0000[diff] [blame]674 else
Anna Zaksfc2e1532012-03-21 19:45:08 +0000[diff] [blame]675 return 1;// expected-warning {{Memory is never released; potential leak}}
Anna Zaks199e8e52012-02-22 03:14:20 +0000[diff] [blame]676}
677
Anna Zaks40a7eb32012-02-22 19:24:52 +0000[diff] [blame]678void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
679 char *s2 = strdup(s);
680 char result = s2[1];// no warning
681 free(s2);
682}
683
Anna Zakse0c03ca2012-02-29 18:42:47 +0000[diff] [blame]684// ----------------------------------------------------------------------------
Anna Zaks07de9c12012-02-23 01:05:27 +0000[diff] [blame]685// Test the system library functions to which the pointer can escape.
Anna Zakse0c03ca2012-02-29 18:42:47 +0000[diff] [blame]686// This tests false positive suppression.
Anna Zaks07de9c12012-02-23 01:05:27 +0000[diff] [blame]687
688// For now, we assume memory passed to pthread_specific escapes.
689// TODO: We could check that if a new pthread binding is set, the existing
690// binding must be freed; otherwise, a memory leak can occur.
691void testPthereadSpecificEscape(pthread_key_t key) {
692 void *buf = malloc(12);
693 pthread_setspecific(key, buf); // no warning
694}
695
Anna Zakse0c03ca2012-02-29 18:42:47 +0000[diff] [blame]696// PR12101: Test funopen().
697static int releasePtr(void *_ctx) {
698 free(_ctx);
699 return 0;
700}
701FILE *useFunOpen() {
702 void *ctx = malloc(sizeof(int));
703 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
704 if (f == 0) {
705 free(ctx);
706 }
707 return f;
708}
709FILE *useFunOpenNoReleaseFunction() {
710 void *ctx = malloc(sizeof(int));
711 FILE *f = funopen(ctx, 0, 0, 0, 0);
712 if (f == 0) {
713 free(ctx);
714 }
715 return f; // expected-warning{{leak}}
716}
717
718// Test setbuf, setvbuf.
719int my_main_no_warning() {
720 char *p = malloc(100);
721 setvbuf(stdout, p, 0, 100);
722 return 0;
723}
724int my_main_no_warning2() {
725 char *p = malloc(100);
726 setbuf(__stdoutp, p);
727 return 0;
728}
729int my_main_warn(FILE *f) {
730 char *p = malloc(100);
731 setvbuf(f, p, 0, 100);
732 return 0;// expected-warning {{leak}}
733}
734
Ted Kremenek9d96f842012-03-05 23:06:19 +0000[diff] [blame]735// <rdar://problem/10978247>.
736// some people use stack allocated memory as an optimization to avoid
737// a heap allocation for small work sizes. This tests the analyzer's
738// understanding that the malloc'ed memory is not the same as stackBuffer.
739void radar10978247(int myValueSize) {
740 char stackBuffer[128];
741 char *buffer;
742
743 if (myValueSize <= sizeof(stackBuffer))
744 buffer = stackBuffer;
745 else
746 buffer = malloc(myValueSize);
747
748 // do stuff with the buffer
749 if (buffer != stackBuffer)
750 free(buffer);
751}
752
753void radar10978247_positive(int myValueSize) {
754 char stackBuffer[128];
755 char *buffer;
756
757 if (myValueSize <= sizeof(stackBuffer))
758 buffer = stackBuffer;
759 else
760 buffer = malloc(myValueSize);
761
762 // do stuff with the buffer
763 if (buffer == stackBuffer) // expected-warning {{leak}}
764 return;
765}
766
Ted Kremenek468365b2012-04-26 05:08:26 +0000[diff] [blame]767// <rdar://problem/11269741> Previously this triggered a false positive
768// because malloc() is known to return uninitialized memory and the binding
769// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
770struct rdar11269741_a_t {
771 struct rdar11269741_b_t {
772 int m;
773 } n;
774};
775
776int rdar11269741(struct rdar11269741_b_t o)
777{
778 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
779 p->n = o;
780 return p->n.m; // expected-warning {{leak}}
781}
782
Anna Zaks1655aee2012-05-03 02:13:56 +0000[diff] [blame]783// Pointer arithmetic, returning an ElementRegion.
784void *radar11329382(unsigned bl) {
785 void *ptr = malloc (16);
786 ptr = ptr + (2 - bl);
787 return ptr; // no warning
788}
789
Anna Zaks84d70a92012-05-01 21:10:29 +0000[diff] [blame]790void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
791int strcmp(const char *, const char *);
792char *a (void);
793void radar11270219(void) {
794 char *x = a(), *y = a();
795 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
796 strcmp(x, y); // no warning
797}
798
Anna Zaks263b7e02012-05-02 00:05:20 +0000[diff] [blame]799void radar_11358224_test_double_assign_ints_positive_2()
800{
801 void *ptr = malloc(16);
802 ptr = ptr; // expected-warning {{leak}}
803}
804
Anna Zaks228f9c72012-05-03 23:50:28 +0000[diff] [blame]805// Assume that functions which take a function pointer can free memory even if
806// they are defined in system headers and take the const pointer to the
807// allocated memory. (radar://11160612)
808int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
809void r11160612_1() {
810 char *x = malloc(12);
811 const_ptr_and_callback(0, x, 12, free); // no - warning
812}
813
814// Null is passed as callback.
815void r11160612_2() {
816 char *x = malloc(12);
817 const_ptr_and_callback(0, x, 12, 0); // expected-warning {{leak}}
818}
819
820// Callback is passed to a function defined in a system header.
821void r11160612_4() {
822 char *x = malloc(12);
823 sqlite3_bind_text_my(0, x, 12, free); // no - warning
824}
825
Anna Zaks6ccfcf32012-05-03 23:50:33 +0000[diff] [blame]826// Passing callbacks in a struct.
827void r11160612_5(StWithCallback St) {
828 void *x = malloc(12);
829 dealocateMemWhenDoneByVal(x, St);
830}
831void r11160612_6(StWithCallback St) {
832 void *x = malloc(12);
833 dealocateMemWhenDoneByRef(&St, x);
834}
835
Anna Zaks63509fb2012-05-04 17:37:16 +0000[diff] [blame]836int mySub(int, int);
837int myAdd(int, int);
838int fPtr(unsigned cond, int x) {
839 return (cond ? mySub : myAdd)(x, x);
840}
841
Anna Zaks3563fde2012-06-07 03:57:32 +0000[diff] [blame^]842// Test anti-aliasing.
Anna Zaksd3571e5a2012-02-11 21:02:40 +0000[diff] [blame]843
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]844void dependsOnValueOfPtr(int *g, unsigned f) {
845 int *p;
846
847 if (f) {
848 p = g;
849 } else {
850 p = malloc(12);
851 }
852
853 if (p != g)
854 free(p);
855 else
Anna Zaks3563fde2012-06-07 03:57:32 +0000[diff] [blame^]856 return; // no warning
Anna Zakse963fd52012-02-10 01:11:03 +0000[diff] [blame]857 return;
858}
859
Anna Zaks3563fde2012-06-07 03:57:32 +0000[diff] [blame^]860int CMPRegionHeapToStack() {
861 int x = 0;
862 int *x1 = malloc(8);
863 int *x2 = &x;
864 if (x1 == x2)
865 return 5/x; // expected-warning{{This statement is never executed}}
866 free(x1);
867 return x;
868}
869
870int CMPRegionHeapToHeap2() {
871 int x = 0;
872 int *x1 = malloc(8);
873 int *x2 = malloc(8);
874 int *x4 = x1;
875 int *x5 = x2;
876 if (x4 == x5)
877 return 5/x; // expected-warning{{This statement is never executed}}
878 free(x1);
879 free(x2);
880 return x;
881}
882
883int CMPRegionHeapToHeap() {
884 int x = 0;
885 int *x1 = malloc(8);
886 int *x4 = x1;
887 if (x1 == x4) {
888 free(x1);
889 return 5/x; // expected-warning{{Division by zero}}
890 }
891 return x;// expected-warning{{This statement is never executed}}
892}
893
894int HeapAssignment() {
895 int m = 0;
896 int *x = malloc(4);
897 int *y = x;
898 *x = 5;
899 if (*x != *y)
900 return 5/m; // expected-warning{{This statement is never executed}}
901 free(x);
902 return 0;
903}
904
Anna Zakse0c03ca2012-02-29 18:42:47 +0000[diff] [blame]905// ----------------------------------------------------------------------------
Anna Zaksd32ead82012-02-16 03:40:57 +0000[diff] [blame]906// False negatives.
907
908// TODO: This requires tracking symbols stored inside the structs/arrays.
909void testMalloc5() {
910 StructWithPtr St;
911 StructWithPtr *pSt = &St;
912 pSt->memP = malloc(12);
913}
Anna Zaks33c364b2012-02-16 22:26:15 +0000[diff] [blame]914
Anna Zaks4ca45b12012-02-22 02:36:01 +0000[diff] [blame]915// TODO: This is another false negative.
916void testMallocWithParam(int **p) {
917 *p = (int*) malloc(sizeof(int));
918 *p = 0;
919}
920
921void testMallocWithParam_2(int **p) {
922 *p = (int*) malloc(sizeof(int));
923}
924
Anna Zaks33c364b2012-02-16 22:26:15 +0000[diff] [blame]925// TODO: This should produce a warning, similar to the previous issue.
926void localArrayTest() {
927 char *p = (char*)malloc(12);
928 char *ArrayL[12];
929 ArrayL[0] = p;
930}
931
Ted Kremenekf56d4f22012-05-01 21:58:29 +0000[diff] [blame]932// Test double assignment through integers.
933static long glob;
934void test_double_assign_ints()
935{
936 void *ptr = malloc (16); // no-warning
937 glob = (long)(unsigned long)ptr;
938}
939
940void test_double_assign_ints_positive()
941{
942 void *ptr = malloc(16);
943 (void*)(long)(unsigned long)ptr; // expected-warning {{unused}} expected-warning {{leak}}
944}
945